[BreachExchange] Hackers could steal from shipping companies by diverting cargo payments

Destry Winant destry at riskbasedsecurity.com
Wed Jan 10 18:06:40 EST 2018


An electronic messaging system used by the shipping industry to send
payment for cargo could be subverted by hackers to steal money.

According to security researchers at Pen Test Partners, the IFTFCC
(International Forwarding and Transport message – Freight Costs and
other Charges), has specific formats that are very interesting to
those trying to steal money. An IFTFCC  is a message typically sent
from a shipping company to the receiver (or at least whoever is paying
for the shipment).

“IFTFCC has specific formats that are very interesting to those trying
to steal money,” said Ken Munro, partner at Pen Test Partners.

According to Munro, the message format allows for various compulsory
and optional fields. Most of the message covers information about
currencies, values, tax etc.

"One could cause chaos by switching around values so that invoices
weren't paid correctly. Organisations are put on ‘credit hold'
unnecessarily as they paid the wrong amount unintentionally and the
whole shipping system gums up a little,” said Munro.

One part of the messaging format was particularly interesting to
researchers -  FII or Financial Institution Information. This
component covers a party's name, address and function, such as message
sender, message receiver, payee, payer, ordering party. There is also
a segment identifying the financial institution such as a bank and
account numbers for the payee only.

Munro said that in FII group C078, there are account details.
“Manipulate this data and the payment is misrouted – the consignee
pays the wrong account and the funds are stolen,” said researchers.

Researchers said that there should be  a cross-check that limits the
ability to carry out fraud. “Hopefully, the shipping company and
consignee will ensure that the FII details match the Bill of Lading –
this is effectively a contract specifying who/what/where/how much etc
– everything involved in the billing and shipping process,” said

But Munro said that there have been many occasions where security
breaches have happened as a result of assumptions made by various
parties about security.

“Consider a regular invoice fraud email: the accounts payable
department at the consignee receives a change of banking details
letter. They change the bank details, the payment is misrouted and
stolen,” said Munro. “It was assumed that the email was genuine.
No-one checked the validity of the change request. If no-one checks
that the EDI message involving FII and account detail is genuine, then
payments can be stolen.”

He said that he could not determine how widely banking information is
transmitted over EDI. “From various messages I've seen, it is clear
that some banking information IS transmitted though,” he said.

He said that often, users make assumptions about security with no
knowledge of message transport security, authentication and integrity

“Irrespective, any user of EDI messaging for anything financial,
maritime or not, would do well to check that their systems are secured
from message manipulation and related invoice fraud,” said Munro.

More information about the BreachExchange mailing list